Description

It would appear that I cannot call login without calling authenticate() because the 'backend' member variable does not exist until you call authenticate.
This seems rather unfriendly at least, but also limiting for no good reason. What if I want to handle authentication myself?

My usage of this is a signup page. I create the user, and I just want to directly log them in my calling login(request, user) on my newly created user object. I would rather not have an extra authenticate() call.

Oldest firstNewest firstThreaded

Show commentsShow property changes

Change History (1)

This is not a good idea. The login() method is designed to make the current authorisation token persistent. It assumes the user has already been authorised by passing an authentication phase. That is one reason why we also record which backend they authenticated against, so that we can interact with it later if needs be.

If you want to handle the authentication yourself, then writing your own authentication backend is the solution. If you want to log them in immediately after creating the account, you will have the password and username (if that's what your auth backend needs) at that point and can call authenticate() correctly. But marking a users as logged in without having authenticated them via one of the approved backends with the required credentials would be a security hole (it would let apps work around a site's configured security settings, for example).